[Hold][WIP] IdP integration

docs.json

@@ -317,6 +317,13 @@
               "enterprise/security-compliance/overview"
             ]
           },
+          {
+            "group": "IdP integration",
+            "pages": [
+              "enterprise/idp/overview",
+              "enterprise/idp/ui"
+            ]
+          },
           {
             "group": "AWS",
             "pages": [

enterprise/idp/overview.mdx

@@ -0,0 +1,57 @@
+---
+title: IdP overview
+sidebarTitle: Overview
+---
+
+<Note>
+    The following information applies only to dedicated instance and in-VPC deployments of [Unstructured Enterprise](/enterprise/overview). 
+
+    IdP integration is not available for Unstructured **Starter** or **Team** accounts.
+</Note>
+
+An _identity provider_ (IdP) is a service that manages and verifies the digital identities of users. 
+It authenticates who a user is and provides that information to other systems (known as _service providers_) to control access. 
+You can connect your organization's IdP to Unstructured so you can manage who has access across all your connected systems from one place. 
+Instead of having to manually create and manage user accounts and roles within your Unstructured account, Unstructured can use your organization's IdP to determine 
+things such as:
+
+- Who can sign in to your Unstructured account.
+- Which roles and permissions they should have within your Unstructured account.
+- Revoking access to your Unstructured account&mdash;for example, when someone leaves your organization.
+
+## Supported IdPs
+
+Unstructured supports IdPs that use any of the following protocols:
+
+- Keycloak OpenID Connect
+- OpenID Connect v1.0
+- SAML 2.0
+
+## IdP groups
+
+_IdP groups_ are collections of users defined within your IdP&mdash;for example, an Engineering group, a Marketing group, or an 
+Administrators group. Unstructured can use your IdP groups to automatically assign roles and permissions within your Unstructured account 
+at the account level and for each of your account's workspaces.
+
+## Roles
+
+_Roles_ are the sets of permissions that Unstructured can assign to your IdP groups&mdash;as well as to individual users separately within your Unstructed account, if needed&mdash; through 
+a common security best-practice technique called _role-based access control_ (RBAC). Unstructured has two kinds of roles:
+
+- **Account roles**: These roles include **Super Administrator**, **Account Member**, and **Billing Administrator**. They apply at the account level.
+- **Workspace roles**: These roles include **Workspace Administrator**, **Developer**, **Operator**, and **Viewer**. They apply to each of your account's workspaces.
+
+[Learn more about these roles](/ui/account/roles).
+
+## Getting started
+
+To have Unstructured connect your organization's IdP to your Unstructured account, contact your assigned 
+Unstructured Account Executive (AE) or Customer Success Manager (CSM). If you do not know who your assigned AE or CSM is, 
+email Unstructured Support at [support@unstructured.io](mailto:support@unstructured.io).
+
+## Next steps
+
+After Unstructured has connected your organization's IdP to your Unstructured account, you can manage access by your IdP groups and individual users to your 
+Unstructured account and its workspaces. To do this, you can use your 
+Unstructured account's user interface (UI). For details, see 
+[IdP management with the Unstructured UI](/enterprise/idp/ui).

enterprise/idp/ui.mdx

@@ -0,0 +1,194 @@
+---
+title: IdP management with the Unstructured UI
+sidebarTitle: UI
+---
+
+<Note>
+    The following information applies only to dedicated instance and in-VPC deployments of [Unstructured Enterprise](/enterprise/overview). 
+
+    IdP integration is not available for Unstructured **Starter** or **Team** accounts.
+</Note>
+
+The following information assumes that Unstructured has already connected your organization's IdP to your Unstructured account. 
+For more information, see [Getting started](/enterprise/idp/overview#getting-started).
+
+## Add an IdP group to your Unstructured account
+
+1. If you are not already signed in, sign in to your Unstructured account.
+2. In the top navigation bar, in the organizational account selector, select the name of the organizational account that you want to add the IdP group to.
+3. TODO: Describe how to go to the account's **Identity Provider Groups** page.
+4. Click **New Group**.
+5. On the **Connect Group** page, for **Identity Provider Group**, type the name of the IdP group that you want to add, and then click **Continue**.
+
+   <Note>
+       You must type the name of the IdP group exactly as it appears in your IdP. Otherwise, Unstructured will not be able to 
+       successfully complete the connection to that IdP group through your IdP.
+   </Note>
+
+6. On the **Assign Role** page, for **Account Role**,select the name of the [organizational account role](/ui/account/roles#organizational-account-roles) that you want to assign to the IdP group for this 
+   organizational account, and then click **Continue**.
+7. On the **Assign Workspaces** page, for **Workspaces and permissions**, select each workspace&mdash;and the 
+   [workspace role](/ui/account/roles#workspace-roles) for that workspace&mdash;that you want to assign to the IdP group, and then click **Add**.
+
+   <Tip>
+       You can also create a new workspace here&mdash;and assign the IdP group to it with a workspace role at the same time&mdash;by clicking **Add Workspace**.
+   </Tip>
+
+8. Click **Save Group**.
+
+The account and workspace roles' permissions are enabled for each of the IdP group's existing users the next time they sign in to your 
+Unstructured account. 
+
+Whenever you add a user to the IdP group, they get the associated account and workspace roles' permissions the next time they 
+sign in to your Unstructured account. 
+
+If a user is already signed in to your Unstructured account but is not getting the permissions they expect, the user should try signing out of your Unstructured account and then signing back in again, to get those permissions. 
+
+If you remove a user from the IdP group, the associated account and workspace roles' permissions are revoked for them the next time they sign in to your Unstructured account.
+
+## Add an IdP group to a workspace
+
+This procedure assumes you have already added the IdP group to your Unstructured account. [Learn how](#add-an-idp-group-to-your-unstructured-account).
+
+1. If you are not already signed in, sign in to your Unstructured account.
+2. In the top navigation bar, in the organizational account selector, select the name of the organizational account that contains the workspace.
+3. In the top navigation bar, in the workspace selector, select the name of the workspace.
+4. On the **Members** tab, click **Add New**, and then click **Add New IdP Group**.
+5. Select the IdP group to add and its [workspace role](/ui/account/roles#workspace-roles) for this workspace, and then click **Save Changes**.
+
+## Change a workspace role for an IdP group
+
+This procedure assumes you have already added the IdP group to your Unstructured account and the workspace within that account. [Learn how](#add-an-idp-group-to-your-unstructured-account).
+
+1. If you are not already signed in, sign in to your Unstructured account.
+2. In the top navigation bar, in the organizational account selector, select the name of the organizational account that contains the workspace.
+3. In the top navigation bar, in the workspace selector, select the name of the workspace.
+4. On the **Members** tab, click the ellipsis (three dots) next to the name of the IdP group.
+5. Click **Edit Permissions**.
+6. TODO: Describe how to finish changing the IdP group's workspace role.
+
+## Change an account role for an IdP group
+
+This procedure assumes you have already added the IdP group to your Unstructured account. [Learn how](#add-an-idp-group-to-your-unstructured-account).
+
+1. If you are not already signed in, sign in to your Unstructured account.
+2. In the top navigation bar, in the organizational account selector, select the name of the organizational account.
+3. TODO: Describe how to go to the account's **Identity Provider Groups** page.
+4. Select the name of the IdP group.
+5. Next to **Account Role**, click the edit (pencil) icon.
+6. Select the new [organizational account role](/ui/account/roles#organizational-account-roles) for the IdP group.
+
+## Add individual users to your Unstructured account
+
+Unstructured recommends that you add IdP groups to your Unstructured account, instead of adding individual users. 
+Managing IdP groups can be easier, faster, and less error-prone than managing individual users. 
+However, if you must add individual users to your Unstructured account, you can do so by following these steps.
+
+1. If you are not already signed in, sign in to your Unstructured account.
+2. In the top navigation bar, in the organizational account selector, select the name of the organizational account.
+3. On the **Members** tab, click **New Member**.
+4. On the **Add Member** page, for **Email**, type the email address of each individual user to add, and then click **Continue**.
+5. On the **Assign Role** page, for **Account Role**, select the [organizational account role](/ui/account/roles#organizational-account-roles) for the individual users, and then click **Continue**.
+
+   <Warning>
+       An organizational account role that is assigned to an individual user always overrides any organizational account role that is assigned to any IdP group to which that user belongs. 
+       This override happens the next time they sign in to your Unstructured account.
+   </Warning>
+
+6. On the **Assign Workspaces** page, for **Workspaces and permissions**, select each workspace&mdash;and the 
+   [workspace role](/ui/account/roles#workspace-roles) for that workspace&mdash;that you want to assign to the individual users 
+   for each workspace&mdash;and then click **Add**.
+
+   <Warning>
+       A workspace role that is assigned to an individual user always overrides any workspace role that is assigned to any IdP group to which that user belongs. 
+       This override happens the next time they sign in to your Unstructured account.
+   </Warning>
+
+   <Tip>
+       You can also create a new workspace here&mdash;and assign individual users to it with a workspace role at the same time&mdash;by clicking **Add Workspace**.
+   </Tip>
+
+7. Click **Invite Members**.
+
+## Change a workspace role for an individual user
+
+This procedure assumes you have already added the individual user to your Unstructured account and the workspace within that account. [Learn how](#add-individual-users-to-your-unstructured-account).
+
+1. If you are not already signed in, sign in to your Unstructured account.
+2. In the top navigation bar, in the organizational account selector, select the name of the organizational account.
+3. In the top navigation bar, in the workspace selector, select the name of the workspace.
+4. On the **Members** tab, next to the user's email, click the ellipsis (three dots), and then click **Edit Permissions**.
+5. Select the new [workspace role](/ui/account/roles#workspace-roles) for the user.
+
+## Change an account role for an individual user
+
+This procedure assumes you have already added the individual user to your Unstructured account. [Learn how](#add-individual-users-to-your-unstructured-account).
+
+1. If you are not already signed in, sign in to your Unstructured account.
+2. In the top navigation bar, in the organizational account selector, select the name of the organizational account.
+3. On the **Members** tab, click the user's email.
+4. Select the new [organizational account role](/ui/account/roles#organizational-account-roles) for the user.
+
+## Remove an individual user from a workspace
+
+This procedure assumes you have already added the individual user to your Unstructured account and the workspace within that account. [Learn how](#add-individual-users-to-your-unstructured-account).
+
+<Note>
+    Removing an individual user from a workspace does not necessarily revoke all access to that workspace!
+
+    After you remove an individual user from a workspace, any workspace role that is assigned to any IdP group to which that user belongs will then be applied. 
+    This happens the next time they sign in to your Unstructured account.
+</Note>
+
+This procedure assumes you have already added the user to your Unstructured account and the workspace within that account. [Learn how](#add-individual-users-to-your-unstructured-account).
+
+1. If you are not already signed in, sign in to your Unstructured account.
+2. In the top navigation bar, in the organizational account selector, select the name of the organizational account that contains the workspace.
+3. In the top navigation bar, in the workspace selector, select the name of the workspace.
+4. On the **Members** tab, next to the user's email, click the ellipsis (three dots), and then click **Remove Member**.
+
+## Remove an individual user from an account
+
+This procedure assumes you have already added the individual user to your Unstructured account. [Learn how](#add-individual-users-to-your-unstructured-account).
+
+<Note>
+    Removing an individual user from an account does not necessarily revoke all access to that account!
+
+    After you remove an indivdual user from an account, any account role that is assigned to any IdP group to which that user belongs will then be applied. 
+    This happens the next time they sign in to your Unstructured account.
+</Note>
+
+This procedure assumes you have already assigned the user to the account. [Learn how](#assign-an-account-role-to-an-individual-user).
+
+1. If you are not already signed in, sign in to your Unstructured account.
+2. In the top navigation bar, in the organizational account selector, select the name of the organizational account.
+3. On the **Members** tab, next to the user's email, click the ellipsis (three dots), and then click **Remove Member**.
+
+## Remove an IdP group from a workspace
+
+This procedure assumes you have already added the IdP group to your Unstructured account and the workspace within that account. [Learn how](#add-an-idp-group-to-your-unstructured-account).
+
+<Note>
+    After you remove an IdP group from a workspace, all users in that group will lose access to the workspace. 
+    This happens the next time they sign in to your Unstructured account.
+</Note>
+
+1. If you are not already signed in, sign in to your Unstructured account.
+2. In the top navigation bar, in the organizational account selector, select the name of the organizational account.
+3. In the top navigation bar, in the workspace selector, select the name of the workspace.
+4. On the **Members** tab, next to the IdP group's name, click the ellipsis (three dots), and then click **Remove Member**.
+
+## Remove an IdP group from an account
+
+This procedure assumes you have already added the IdP group to your Unstructured account. [Learn how](#add-an-idp-group-to-your-unstructured-account).
+
+<Note>
+    After you remove an IdP group from an account, all users in that group will lose access to your Unstructured account. 
+    This happens the next time they sign in to your Unstructured account.
+</Note>
+
+1. If you are not already signed in, sign in to your Unstructured account.
+2. In the top navigation bar, in the organizational account selector, select the name of the organizational account.
+3. TODO: Describe how to go to the account's **Identity Provider Groups** page.
+4. Select the name of the IdP group.
+5. Click **Delete Group**.